From: r...@gnu.ai.mit.edu (Richard Stallman)
Subject: Clinton Administration trying to prohibit real encryption
Date: 1997/03/29
Message-ID: <199703292325.SAA07521@psilocin.gnu.ai.mit.edu>
X-Deja-AN: 229331350
Sender: gnu-misc-dis...@prep.ai.mit.edu
x-gateway: relay2.UU.NET from gnu-misc-discuss to gnu.misc.discuss; 
Sat, 29 Mar 1997 18:24:03 EST
Newsgroups: gnu.misc.discuss


Ever since the the Clinton administration proposed the "Clipper chip",
they have been saying "This is just voluntary", and privacy activists
have been saying "They are lying".  Now the administration has proved
the privacy activists right, by proposing laws to *prohibit* using
encryption to keep secrets from the government.

The Free Software Foundation is reposting the announcement below to
express its support for the campaign led by Voters Telecommunications
Watch.  We are not the leaders of this campaign, just spreading the
word; for more details or questions, or please contact VTW directly.

If you are a US citizen, we hope you will look at "Adopt Your
Legislator Cmapaign" web site (see below), and contact your
representatives in Congress, as the VTW suggests.

If you are not a US citizen, you can help in another way--by
volunteering to work on *free* public key encryption software for jobs
such as file transfer, login sessions and web commerce.  There is no
free software for these jobs today--all is either proprietary of
semi-free, and neither kind can be used in a free operating system.
Americans are forbidden to contribute, so the job is up to you.
Please contact g...@prep.ai.mit.edu if you would like to volunteer.


Date: 29 Mar 1997 10:41:48 -0500
From: sha...@panix.com (Shabbir J. Safdar)
Organization: Voters Telecommunications Watch (v...@vtw.org)
Subject: ALERT: White House denigrates your right to privacy! (3/28/1997)
Message-ID: <5hjd7s$6...@panix3.panix.com>
Xref: ix.netcom.com alt.privacy:47050 talk.politics.crypto:23513 
comp.org.eff.talk:94911 comp.org.cpsr.talk:12429 alt.wired:63562 
alt.politics.datahighway:26778 alt.privacy.clipper:7537 alt.bbs.allsysop:28246

==============================================================================
  ___  _     _____ ____ _____ _
 / _ \| |   | ____|  _ \_   _| |         THE CRYPTO BATTLE HAS BEGUN!
| |_| | |   |  _| | |_) || | | |  CLINTON ADMINISTRATION PROPOSES CONTROL OF
|  _  | |___| |___|  _ < | | |_|     ENCRYPTION FOR AMERICANS ON U.S. SOIL
|_| |_|_____|_____|_| \_\|_| (_)               March 28, 1997

                 Do not forward this alert after May 1, 1997.

                         This alert brought to you by:
                     Center for Democracy and Technology
                                  Eagle Forum
                       Electronic Frontier Foundation
                       Voters Telecommunications Watch
                                 Wired Magazine
_____________________________________________________________________________
Table of Contents
      What's Happening Right Now
      What You Can Do Now
      Background
      What's At Stake
      Supporting Organizations

_____________________________________________________________________________
WHAT'S HAPPENING RIGHT NOW

On March 26, 1997, the Clinton Administration proposed draft legislation
which would, for the first time, impose DOMESTIC RESTRICTIONS on the
ability of Americans to protect their privacy and security online.

In its current form, the draft bill seeks to impose a risky
"key-recovery" regime which would compel American citizens to ensure
government access to their private communications. Law enforcement and
national security agents would not even need a court order to access
private decryption keys.

Congress is currently considering three separate bills which would
prohibit the government from imposing "key-recovery" domestically, and
encourage the development of easy-to-use, privacy and security tools
for the Net.

As more and more Americans come online, the Administration's plan is a
giant step backwards and would open a huge window of vulnerability to
the private communications of Internet users.  Americans expect more
when conducting private conversations with their doctors, families,
business partners, or lawyers.

Please read the Alert below to find out what you can do to protect your
privacy online.

________________________________________________________________________________
WHAT YOU CAN DO

1. Adopt Your Legislator

   Now is the time to increase our ranks and prepare for the fight that lies
   a head of us in Congress.  The time to blast Congress or the White House
   with phone calls and emails will come, but now is not the appropriate
   moment.

   Instead, please take a few minutes to learn more about this important
   issue, and join the Adopt Your Legislator Campaign at
   http://www.crypto.com/adopt/

   This will produce a customized page, just for you with your own
   legislator's telephone number and address.

   In addition, you will receive the latest news and information on the
   issue, as well as targeted alerts informing you when your
   Representatives in Congress do something that could help or hinder
   the future of the Internet.

   Best of all, it's free.  Do your part, Work the Network!

   Visit http://www.crypto.com/adopt/ for details.

2. Beginning Monday March 31, call the White House

   Internet public interest advocates continue to work the Hill in support
   of the three true encryption reform bills in Congress, Pro-CODE, SAFE, &
   ECPA II.  If you still feel a need to voice your opinion, however, you can
   call the White House to express your opinion.

   Step 1 - Beginning Monday March 31, call the White House

        Call 202-456-1111 9am-5pm EST.  Ignore the voice mail survey and
        press '0' to get a comment line operator.
            
   Step 2 - Tell them what you think about intrusions into your privacy!

	Operator: Hello, White House comment line!

SAY     YOU: I'm calling to oppose president's Internet encryption bill.
THIS ->      It infringes on the privacy of Americans. We need a solution
             to the encryption issue that protects privacy, and this is not
             it.

        Operator: Thank you, I'll pass that along to the President.

3. Spread the Word!

  Forward this Alert to your friends. Help educate the public about the
  importance of this issue.

  Please do not forward after May 1, 1997.

_____________________________________________________________________________
BACKGROUND

Complete background information, including:

* A down-to-earth explanation of why this debate is important to Internet users
* Analysis and background on the issue
* Text of the Administration draft legislation
* Text of Congressional proposals to reform US encryption policy
* Audio transcripts and written testimony from recent Congressional Hearings
  on encryption policy reform
* And more!

Are all available at http://www.crypto.com/
________________________________________________________________________
WHAT'S AT STAKE

Encryption technologies are the locks and keys of the Information age
- -- enabling individuals and businesses to protect sensitive information
as it is transmitted over the Internet. As more and more individuals
and businesses come online, the need for strong, reliable, easy-to-use
encryption technologies has become a critical issue to the health and
viability of the Net.

Current US encryption policy, which limits the strength of encryption
products US companies can sell abroad, also limits the availability of
strong, easy-to-use encryption technologies in the United States. US
hardware and software manufacturers who wish to sell their products on
the global market must either conform to US encryption export limits or
produce two separate versions of the same product, a costly and
complicated alternative.

The export controls, which the NSA and FBI argue help to keep strong
encryption out of the hands of foreign adversaries, are having the
opposite effect. Strong encryption is available abroad, but because of
the export limits and the confusion created by nearly four years of
debate over US encryption policy, strong, easy-to-use privacy and
security technologies are not widely available off the shelf or "on the
net" here in the US. 

A recently discovered flaw in the security of the new digital telephone
network exposed the worst aspects of the Administration's encryption
policy.  Because the designers needed to be able to export their
products, the system's security was "dumbed down".  Researchers subsequently
discovered that it is quite easy to break the security of the system and
intrude on what should be private conversations.

This incident underscores the larger policy problem: US companies are
at a competitive disadvantage in the global marketplace when competing
against companies that do not have such hindrances.  And now, for the first
time in history, the Clinton Administration has DOMESTIC RESTRICTIONS on the
ability of Americans to protect their privacy and security online.

All of us care about our national security, and no one wants to make it
any easier for criminals and terrorists to commit criminal acts. But we
must also recognize encryption technologies can aid law enforcement
and protect national security by limiting the threat of industrial
espionage and foreign spying, promote electronic commerce and protecting
privacy.

What's at stake in this debate is nothing less than the future of
privacy and the fate of the Internet as a secure and trusted medium for
commerce, education, and political discourse.

______________________________________________________________________________
SUPPORTING ORGANIZATIONS

For more information, contact the following organizations who have signed onto
this effort at their web sites.

Center for Democracy and Technology                      http://www.cdt.org
    Press contact: Jonah Seiger, +1.202.637.9800
Eagle Forum                                       http://www.eagleforum.org
    Press contact: Phyllis Schlafly, +1.314.721.1213
Electronic Frontier Foundation                           http://www.eff.org
    Press contact: Stanton McCandlish, +1.415.436.9333
Voters Telecommunications Watch                          http://www.vtw.org
    Press contact: Shabbir J. Safdar, +1.718.596.7234
Wired Magazine                                         http://www.wired.com
    Press contact: Todd Lappin, +1.415.276.5224

______________________________________________________________________________
end alert
==============================================================================
- ------- end of forwarded message -------
------- End of forwarded message -------

From: Al Petrofsky  
Subject: Re: Clinton Administration trying to prohibit real encryption
Date: 1997/03/29
Message-ID: <87u3luot4d.fsf@albatros.wco.com>
X-Deja-AN: 229396710
Sender: a...@albatros.wco.com
References: <199703292325.SAA07521@psilocin.gnu.ai.mit.edu>
X-Server-Date: 30 Mar 1997 05:18:12 GMT
Organization: The Vegetable Liberation Front
Newsgroups: gnu.misc.discuss


r...@gnu.ai.mit.edu (Richard Stallman) writes:

> Ever since the the Clinton administration proposed the "Clipper chip",
> they have been saying "This is just voluntary", and privacy activists
> have been saying "They are lying".  Now the administration has proved
> the privacy activists right, by proposing laws to *prohibit* using
> encryption to keep secrets from the government.

After reading the draft legislation, I agree it's terrible, but I
don't see how you can say it prohibits using encryption to keep
secrets from the government.  It sets up a government-endorsed key
management infrastructure with the feature that the government can see
all the keys, but it explicitly states that "Participation in the key
management infrastructure enabled by this Act is voluntary".  What
section do you read as prohibiting real encryption?

Section 103 is definitely scary:

  SEC. 103.  LAWFUL USE OF ENCRYPTION.

  It shall be lawful for any person within any State of the United States, 
  the District of Columbia, the Commonwealth of Puerto Rico, and any 
  territory or possession of the United States, to use any encryption, 
  regardless of the encryption algorithm selected, encryption key length 
  chosen, or implementation technique  or medium used, except as provided 
  in this Act or in any other law.  Participation in the key management 
  infrastructure enabled by this Act is voluntary.

It starts sounding like a proclamation of a universal right to use
encryption, but at the end of the sentence we realize the intent is to
establish that there is no such right and that the government will
feel free to restrict encryption as much as it likes.  As bad as this
is, I can't find anything in the rest of the act that restricts using
encryption without giving keys to the government.  All of the criminal
acts in section 403 involve misbehavior by people participating in the
infrastructure or trying to compromise it.  Missing is anything
prohibiting the use of non-government-sanctioned certificate
authorities.

-al

To make sure we're all reading from the same text, here is the source
material I grabbed from www.crypto.com/clinton/970312_admin.html:

  Text of Administration March 12 Key Recovery Draft Legislation:

  105th CONGRESS						DRAFT 3/12/97

  1st Session                 H.R. _________________

		     ________________________________________

  Mr. _________________ of _________________ introduced the following 
  bill;  which was referred to the Committee on _____________________


				  A BILL 

       To enable the development of a key management infrastructure for 
  public-key-based encryption and attendant encryption products that will 
  assure that individuals and businesses can transmit and receive 
  information electronically with confidence in the information's 
  confidentiality, integrity, availability, and authenticity, and that 
  will promote timely lawful government access.

       Be it enacted by the Senate and House of Representatives of the 
  United States of America in Congress assembled,

		     TITLE I -- GENERAL PROVISIONS

  SEC. 101.  SHORT TITLE

  This Act may be cited as the "Electronic Data Security Act of 1997".

  SEC. 102.  FINDINGS

  The Congress finds the following:

  (A)  The development of the information superhighway is fundamentally 
  changing the way we interact. The nation's commerce is moving to 
  networking.  Individuals, government entities, and other institutions 
  are communicating across common links.

  (B)  The Internet has provided our society with a glimpse of what is 
  possible in the information age, and the demand for information access 
  and electronic commerce is rapidly increasing.  The demands are arising 
  from all elements of society, including banks, manufacturers, service 
  providers, state and local governments, and educational institutions.

  (C)  Today, business and social interactions occur through face-to-face 
  discussions, telephone communications, and written correspondence.  Each 
  of these methods for interacting enables us to recognize the face, or 
  voice, or written signature of the person with whom we are dealing. It 
  is this recognition that permits us to trust the communication.

  (D)  In the information age, however, those personal attributes will be 
  replaced with digital equivalents upon which we will rely.  Electronic 
  digital transmissions, through which many businesses and social 
  interactions will occur, inherently separate the communication from the 
  person, forsaking confidence once derived from a handshake or a signed 
  document.

  (E)  At the same time, society's increasing reliance on information 
  systems in this new environment exposes U.S. citizens, institutions, and 
  their information to unprecedented risks.

  (F)  In order for the global information infrastructure and electronic 
  commerce to achieve their potential, information systems must e imbued 
  with the attributes that overcome these risks and must provide trusted 
  methods to identify users.

  (G)  Cryptography can meet these needs.  Cryptography can be used to 
  digitally sign communications ore electronic documents such that a 
  recipient can be confident that any message he or she received could 
  only have come from the apparent sender.  Moreover, cryptography is an 
  important tool in protecting the confidentially of wire and electronic 
  communications and stored data.  Thus,. there is a national need to 
  encourage the development, adoption, and use of cryptographic products 
  that are consistent with the foregoing considerations and are 
  appropriate for use both in domestic and export markets by the United 
  States Government.

  (H)  The lack of a key management infrastructure impedes the use 
  cryptography and, there fore, the potential of electronic commerce.  
  Users cannot encrypt messages without keys, therefore, they need a 
  secure and standardized mechanism for the generation of keys, storage of 
  keys, and transfer of keys between users.  There is currently no 
  standardized mechanism for the generation of keys, storage of keys, and 
  transfer of keys between users.  There is currently no standardized 
  method in the private sector to accomplish all of these tasks, thus 
  users must individually assume these burdens or forego the use of 
  cryptography.

  (I)  Industry must work with government to develop a public-key-based 
  key management infrastructure and attendant products that will ensure 
  participants can transmit, receive, and use information electronically 
  with confidence in the information's integrity, confidentiality, 
  authenticity, and origin, while also allowing timely lawful government 
  access.

  (J)  To this end, the government should issue appropriate public key 
  encryption standards for federal systems and encourage the development 
  of interoperable private sector standards for use across border.  
  However, the architecture(s) the government endorses in its standards 
  must permit the use of any encryption algorithm.

  (K)  To effectively serve the public, such a key management 
  infrastructure must be founded upon a system of trusted service 
  providers to ensure acceptable standards of security, reliability, and 
  interoperability.

  (L)  While cryptographic products and services are useful for protecting 
  information and its authenticity, such products also can be sued by 
  terrorists, organized crime syndicates, drug trafficking organizations, 
  and other dangerous and violent criminals to avoid detection and to hide 
  evidence of criminal activity, thereby jeopardizing effective law 
  enforcement, public safety, and national security.

  (M)  Any effective key management infrastructure must not hinder the 
  ability of government agencies, pursuant to lawful authority, to 
  decipher in a timely manner and obtain the plaintext of communications 
  and stored data.

  SEC. 103.  LAWFUL USE OF ENCRYPTION.

  It shall be lawful for any person within any State of the United States, 
  the District of Columbia, the Commonwealth of Puerto Rico, and any 
  territory or possession of the United States, to use any encryption, 
  regardless of the encryption algorithm selected, encryption key length 
  chosen, or implementation technique  or medium used, except as provided 
  in this Act or in any other law.  Participation in the key management 
  infrastructure enabled by this Act is voluntary.

	  TITLE II -- REGISTRATION OF CERTIFICATE AUTHORITIES AND KEY 
			       RECOVERY AGENTS


  SEC. 201.  REGISTRATION OF CERTIFICATE AUTHORITIES

  The Secretary may register any suitable private sector entity, 
  government agency, or foreign government agency to act as a Certificate 
  Authority in the Secretary determines that the entity or agency meets 
  minimum standards, as specified in regulations promulgated by the 
  Secretary. for security, performance, and practices in order to 
  accomplish the duties of a Certificate Authority registered under this 
  Act.  The Secretary may condition, modify or revoke such a registration 
  if the registered entity or agency has violated any provision of this 
  Act or any rule, regulation, or requirement prescribed by the Secretary 
  under this Act, or for any other reasons specified by the Secretary in 
  rule or regulation.

  SEC. 202.  REGISTRATION OF KEY RECOVERY AGENTS.

  (A)  Registration by the Secretary.  The Secretary may register a 
  suitable private sector entity or government agency to act as a Key 
  Recovery Agent if the Secretary determines that the entity or agency 
  possesses the capability, competency, trustworthiness and resources to 
  safeguard sensitive information entrusted to it, to carry out the 
  responsibilities set forth in subsection (B) of this section, and to 
  comply with the Secretary's regulations.

  (B)  Responsibilities of Key Recovery Agents.  A Key Recovery Agent 
  registered under subsection (A) of this section shall, consistent with 
  regulations issued by the Secretary, establish procedures and take other 
  appropriate steps --

       (1)  to ensure the confidentiality, integrity, availability and 
       timely release of recovery information held by the Key Recovery 
       Agent;

       (2)  to protect the confidentiality of the identity of the person
       or persons for whom such Key Recovery Agent holds recovery 
       information; 

       (3)  to protect the confidentiality of lawful requests for recovery 
       information and the identity of the individual or government agency 
       requesting recovery information and all information concerning such 
       individual's or agency's access to and sue of recovery information;

       (4)  to carry out the responsibilities set forth in this Act and 
       implementing regulations.

  (C)  Revocation of Key Recovery Agent Registration.  The Secretary may 
  condition, modify, or revoke a Key Recovery Agent's registration if the 
  registered entity or agency has violated nay provision of this Act or 
  any rule, regulation, or requirement prescribed by the Secretary under 
  this Act, or for any other reasons specified by the Secretary in rule or 
  regulation.

  SEC. 203.  PUBLIC KEY CERTIFICATES FOR ENCRYPTION KEYS.

  The Secretary or a Certificate Authority registered under this Act may 
  issue to a person a public key certificate that certifies a public key 
  that can be used for encryption only if the person:

       (A)  stores with a Key Recovery Agent registered by the Secretary 
       under this Act sufficiently information, as specified by the 
       Secretary in regulations, to allow lawful recovery of the plaintext 
       of that person's encrypted data and communications; or

       (B)  makes other arrangements, approved by the Secretary pursuant
       to regulations acceptable to the Attorney General, that assure that 
       lawful recovery of the plaintext of encrypted data and 
       communications can be accomplished confidentially when necessary.

	       TITLE III -- RELEASE OF RECOVERY INFORMATION
			   BY KEY RECOVERY AGENTS

  SEC. 301.  CIRCUMSTANCES IN WHICH INFORMATION MAY BE RELEASED

  A Key Recovery Agent, whether or not registered by the Secretary under 
  this Act, is prohibited from disclosing recovery information stored by a 
  persons unless the disclosure is -- 

       (A)  to that person, or an authorized agent thereof;

       (B)  with the consent of that person, including pursuant to a 
       contract entered into with that person;

       (C)  pursuant to a court order upon a showing of compelling need 
       for the information that cannot be accommodated by any other
       means, if --
	  (1)  the person who stored the information is given reasonable 
	  notice, by the person seeking the disclosure of the court 
	  proceeding relevant to the issuance of the court order; and
	  (2)  the person who stored the information is afforded the 
	  opportunity to appear in the court proceeding and contest the
	  claim of the person seeking the
	  disclosure;

       (D)  pursuant to a determination by a court of competent
       jurisdiction that another person is lawfully entitled to hold such
       recovery information, particularly including determinations arising
       from legal proceedings associated with the death or dissolution of
       any person; or

       (E)  as otherwise permitted by this Act or other law, particularly
       including release of recovery information pursuant to section 302
       of this Act.

  SEC. 302.  RELEASE OF RECOVERY INFORMATION TO GOVERNMENT AGENCIES.

  (A)  A Key Recovery Agent, whether or not registered by the Secretary 
  under this Act, shall disclose recovery information stored by a person:
       (1)  to a government agency acting pursuant to a duly authorized
       warrant or court order, a subpoena authorized by Federal or State
       statute or rule, a certification issued by the Attorney General
       under the Foreign Intelligence Surveillance Act, or other lawful
       authority that allows access to recovery information by such
       agency; or

       (2)  to a law enforcement or national security government agency
       upon receipt of written authorization in a form to be specified by
       the Attorney General/

  (B)  The Attorney General shall issue regulations governing the use of 
  written authorizations to require release of recovery information to law 
  enforcement and national security government agencies.  Those 
  regulations shall permit the use of written authorizations only when the 
  government agency is lawfully entitled to determine the plaintext of 
  wire or electronic communications or of electronic information and will 
  use the recovery information for that purpose, to test products in the 
  agency�s possession, to prove facts in legal proceedings, or to comply 
  with a request from a duly authorized agency or a foreign government.

  SEC. 303.  USE AND DESTRUCTION OF RECOVERY INFORMATION RELEASE TO A 
  GOVERNMENT AGENCY.

  A government agency to which recovery information has been release in 
  response to a written authorization issued under section 302()A)(2) or 
  the Act, by a Key Recovery Agent registered under this Act, may use the 
  recovery information only to determine the plaintext of any wire or 
  electronic communication or of any stored electronic information that 
  the agency lawfully acquires or intercepts, to test cryptographic 
  products in the agency�s possession, to prove facts in legal 
  proceedings, or to comply with the request of a duly authorized agency 
  of a foreign government.  Once such lawful use is completed, the 
  government agency shall destroy the recovery information in its 
  possession and shall make a record documenting such destruction.  The 
  government agency shall not use the recovery information to determine 
  that plaintext of any wire or electronic communication or of any stored 
  electronic information unless it has lawful authority to do so apart 
  from the Act.

  SEC. 304.  CONFIDENTIALITY OF RELEASE OF RECOVERY INFORMATION.

  A Key Recovery Agent or other person shall not disclose to any person, 
  except as authorized by this Act or regulations promulgated thereunder 
  or except as ordered by a federal court of competent jurisdiction, the 
  facts or circumstances of any release of recovery information pursuant 
  to section 302(A)(2) of the Act or requests therefor.



			 TITLE IV -- LIABILITY

  SEC. 401.  CIVIL ENFORCEMENT

  (A)  Enforcement by the Secretary.  The Secretary may, when appropriate 
  in fulfilling his or her duties under this Act or the regulations 
  promulgated thereunder, make investigations, obtain information, take 
  sworn testimony, and require reports or the keeping of records by, and 
  make inspection of the books, records, and other writings, premises or 
  property of registered entities.

  (B)  Civil Penalties.  Any person who violates section 403 of this Act 
  shall be subject to a civil penalty in an amount assessed by a court in 
  a civil action.
       (1)  The amount of the civil penalty may not exceed $10,000 per
       violation, unless the violation was willful, or was committed by a
       Key Recovery Agent or a Certificate Authority not registered under
       this Act.  In determining the amount of the penalty the court shall
       consider the risk of harm to law enforcement, public safety, and
       national security the risk of harm to affected persons, the gross
       receipts of the charged party, the judgment of the Attorney General
       concerning the appropriate penalty, and the willfulness of the
       violation.
       (2)  a civil action to recover such a civil penalty may be
       commenced by the Attorney General.
       (3)  A civil action under this subsection may not be commenced
       later than 5 years after the cause of the action accrues.

  (C)  Injunctions.  The attorney General may bring an action to enjoin 
  any person from committing any violation of any provision of the Act or 
  regulations promulgated thereunder.

  (D)  Jurisdiction.  The district courts of the Untied States shall have 
  original jurisdictions over any actions brought by the Attorney General 
  under this section.

  SEC. 402.  CIVIL CAUSE OF ACTION AGAINST THE UNITED STATES GOVERNMENT.

  (A)  Cause of Action.  Except as otherwise provided in this Act, any 
  person whose recovery information is knowingly obtained without lawful 
  authority by an agent of the United States Government from a registered 
  Key Recovery Agent, or, if obtained by an agent of the United States 
  Government with lawful authority from a registered Key Recovery Agent, 
  is knowingly used or disclosed without lawful authority, may, in a civil 
  action, recover from the United States Government the actual damages 
  suffered by the plaintiff, and reasonable attorney�s fee and other 
  litigation costs reasonably incurred.

  (B)  Limitations.  a civil action under this section may not be 
  commenced later than two years after the date upon which the claimant 
  first discovered or had a reasonable opportunity to discover the 
  violation.

  SEC. 403.  CRIMINAL ACTS.

  It shall be unlawful for any person --
       (A)  if a Certificate Authority registered under this Act,
       intentionally to issue a public key certificate in violation of
       section 203 of this Act;

       (B)  intentionally to disclose recovery information in violation of
       this Act;

       (C)  intentionally to obtain or use recovery information without
       lawful authority, or, having received such information with lawful
       authority, intentionally to exceed such authority for the purpose
       of decrypting data or communications;

       (D)  if a Key Recovery Agent, or officer, employee, or agent
       thereof, intentionally to disclose the facts or circumstances of
       any release of recovery information or requests therefor in
       violation of this Act;

       (E)  intentionally to issue a public key certificate under this
       Act, or to fail to revoke such a certificate, knowing that the
       person from whom the certificate is issued does not meet the
       requirements of this Act or the regulations promulgated thereunder;

       (F)  intentionally to apply for or obtain a public key certificate
       under this Act, knowing that the person to be identified in the
       public key certificate does not meet the requirements of this Act
       or the Regulations promulgated thereunder; or

       (G)  knowingly to issue a public key certificate in furtherance of
       the commission of a criminal offense which may be prosecuted in a
       court of competent jurisdiction.
  Any person who violates this section shall be fined under title 18, 
  United States Code, or imprisoned not more than five years, or both.

  SEC. 404.  USE OF ENCRYPTION IN FURTHERANCE OF CRIME.

  (A)  Whoever knowingly  encrypts data or communications in furtherance 
  of the commission of a criminal offense for which the person may be 
  prosecuted in a court of competent jurisdiction shall, in addition to 
  any penalties for the underlying criminal offense, be fined under title 
  18, United States Code, or imprisoned not more than five years, or both.

  (B)  It is an affirmative defense to a prosecution under this section 
  that the defendant stored sufficient information to decrypt the data or 
  communications with a Key Recovery Agent registered under Act if that 
  information is reasonable available to the government.  The defendant 
  bears the burden of persuasion on this issue.

  (C)  The United States Sentencing Commission shall, pursuant to its 
  authority under section 9944(p) of title 28, United States Code, amend 
  the sentencing guidelines to ensure that any person convicted of a 
  violation of subsection (A) of this section is imprisoned for not less 
  than 6 months, and if convicted of other offenses at the same time, has 
  the offense level increased by at least three levels.

  SEC. 405.  NO CAUSE OF ACTION FOR COMPLYING WITH GOVERNMENT REQUESTS.

  No civil or criminal liability under this Act or any other law shall 
  attach to ant Key Recovery Agent, its officers, employees, agents, or 
  any other persons specified by the Secretary in regulations, for 
  disclosing recovery information or providing other assistance to a 
  government agency in accordance with the terms of a court order, 
  warrant, subpoena, certification, written authorization or other legal 
  authority.

  SEC. 406.  COMPLIANCE DEFENSE.

  Compliance with this Act and the regulations promulgated thereunder is a 
  complete defense, for Certificate Authorities registered under this Act 
  and Key Recovery Agents registered under this Act, to any noncontractual 
  civil action for damages based upon activities regulated by this Act.

  SEC. 407.  GOOD FAITH DEFENSE.

  A good faith reliance on a court warrant or order subpoena, legislative 
  authorization, statutory authorization, a certification, a written 
  authorization, or other legal authority for access to recovery 
  information under this Act or its implementing regulations is a complete 
  defense to any civil or criminal action brought under this Act.

  SEC. 408.  FEDERAL GOVERNMENT LIABILITY.

  Except as provided otherwise in this Act, the United States shall not be 
  liable for any loss incurred by any individual or entity resulting from 
  any violation of this Act or the failure to exercise reasonable care in 
  the performance of any duties under any regulation or procedure 
  established by or under this Act, nor resulting from any action by any 
  person who is not an official or employee of the United States.


		   TITLE V -- OTHER KEY RECOVERY PROVISIONS

  SEC. 501.  LABELING OF ENCRYPTION PRODUCTS.

  (A)  Any person engaged in manufacturing, importing, packaging, 
  distributing or labeling of encryption products for purposes of sale or 
  distribution in the United States shall package and label them so as to 
  inform the user whether the products use Key Recovery Agents registered 
  under this Act for storage of recovery information, and whether such 
  products are authorized for use in transactions with the United States 
  Government, as specified in regulations promulgated by the Secretary.

  (B)  The provisions contained in subsection (A) shall not apply to 
  persons engaged in business as wholesale or retail distributors of 
  encryption products to users except to the extent such persons are (1) 
  engaged in packaging or labeling of such products for sale to users, or 
  (2) prescribe or specify by any means the manner in which such products 
  are package or labeled.

  SEC. 502.  CONTRACTS, COOPERATIVE AGREEMENTS, JOINT VENTURES AND OTHER 
  TRANSACTIONS.

  A Federal agency approved as a Key Recovery Agent under this Act may 
  enter into contracts, cooperative agreements, joint ventures and other 
  transactions and take other appropriate steps to carry out its 
  responsibilities.

  SEC 503.  NEGOTIATION WITH OTHER COUNTRIES.

  The President shall conduct negotiations with other countries, on a 
  bilateral or multilateral basis, for the purpose of seeking and 
  concluding mutual recognition arrangements for Key Recovery Agents and 
  Certificate Authorities registered by the United States and other 
  countries.

		     TITLE VI -- MISCELLANEOUS PROVISIONS

  SEC. 601.  REGULATION AND FEES.

  (A)  Within one hundred and eighty days after the date of the enactment 
  of this Act, the Secretary shall, in coordination with the Secretary of 
  State, Secretary of Defense, and Attorney General, after notice to the 
  public and opportunity for comment, issue any regulations necessary to 
  carry out this Act.

  (B)  The Secretary may delay the date for compliance with the 
  regulations issued for up to one year if the Secretary determines that 
  the delay is necessary to allow for compliance with the regulations.

  (C)  The Secretary may charge such fees as are appropriate I order to 
  accomplish his or her duties under this Act.

  SEC. 602.  INTERPRETATION.

  Nothing contained in this Title shall be deemed to preempt or otherwise 
  affect the applications of the Arms Export Control Act (22 U.S.C. 2751 
  et sec.) or any regulations promulgated thereunder.  (Language 
  concerning the Export Administration Act and/or IEEPA is under 
  development.)

  SEC. 603.  SEVERABILITY.

  If any provision of this Act, or the application thereof, to any person 
  or circumstance, is held invalid, the remainder of this Act, and the 
  application thereof, to other persons or circumstances shall not be 
  affected thereby.

  SEC. 604.  AUTHORIZATION OF APPROPRIATIONS.

  [This section is reserved pending discussions to develop language that 
  is consistent with the President�s budget.]

  SEC. 605.  DEFINITIONS.

  For purposes of this Act:
       (1)  The term "person" means any individual, corporation, company, 
  association, firm, partnership, society, or joint stock company.

       (2)  The term "Secretary" means the Secretary of Commerce of the 
  United States or his or her designee.

       (3)  The term "Secretary of State: means the Secretary of State of 
  the United States or his or her designee.

       (4)  The term "Secretary of Defense" means the Secretary of Defense 
  of the United States or his or her designee.

       (5)  The term "Attorney General" means the Attorney General of the 
  United States or his or her designee.

       (6)  The term "encryption" means the transformation of data 
  (including communications) in order to hide its information content.  To 
  "encrypt" is to perform encryption.

       (7)  The term "decryption" means the retransformation of data 
  (including communications) that has been encrypted into the data�s 
  original form.

       (8)  The term "plaintext" refers to data (including communications) 
  that has not been encrypted, or if encrypted, has been decrypted.

       (9)  The term "ciphertext" refers to data (including 
  communications) that has been encrypted.

       (10)  the term "key" means a parameter, or a component thereof, 
  used with an algorithm to validate, authenticate, encrypt or decrypt a 
  message.

       (11)  The term "public key" means for cryptographic systems that 
  use different keys for encryption and decryption, the key that is 
  intended to be publicly known.

       (12)  The term "public key certificate" means information about a 
  public key and its user, particularly including information that 
  identifies that public key with its user, which has been digitally 
  signed by the person issuing the public key certificate, using a private 
  key of the issuer.

       (13)  The term "Certificate Authority" means a person trusted by 
  one or more persons to create and assign public key certificates.

       (14)  The term "Key Recovery Agent" means a person trusted by one 
  or more persons to hold and maintain sufficient information to allow 
  access to the data or communications of the person or persons for whom 
  that information is held, and who holds and maintains that information 
  as a business or governmental practice, whether or not for profit.

       (15)  The term "recovery information" means keys or other 
  information provided to a Key Recovery Agent by a person, that can be 
  used to decrypt that person�s data and communications.

	(16)  The term "electronic information" includes but is not 
  limited to voice communications, texts, messages, recordings, images or 
  documents, in any electronic, electromagnetic, photoelectronic, 
  photooptical, or digitally encoded computerreadable form.

       (17)  The term "electronic communication" has the meaning given 
  such term in section 2510 (12) of title 18, United States Code.

       (18)  The term "wire communications" has the meaning given such 
  term in section 2510(1) of title 18, United States Code.

       (19)  The term "government" means the government of the United 
  States and any agency or instrumentality thereof, a State or political 
  subdivision of a State, the District of Columbia, or commonwealth, 
  territory, or possession of the United States.

       (20)  The term "cryptographic product" means any product 
  (including, but not limited to, hardware, firmware, or software, or some 
  combination thereof), that is designed, adapted, or configured to use a 
  cryptographic algorithm to protect or assure the integrity, 
  confidentiality and/or authenticity of information.

       (21)  The term "encryption product" means a cryptographic product 
  that can be used to encrypt or decrypt data.

From: user@yellow.submarine.pla ()
Subject: Re: Clinton Administration trying to prohibit real encryption
Date: 1997/03/30
Message-ID: <5hm1lu$pn@camel1.mindspring.com>#1/1
X-Deja-AN: 229455628
References: <199703292325.SAA07521@psilocin.gnu.ai.mit.edu> 
<87u3luot4d.fsf@albatros.wco.com>
Organization: Yellow Brick Road
Newsgroups: gnu.misc.discuss


In article < 87u3luo...@albatros.wco.com>, Al Petrofsky wrote:
>r...@gnu.ai.mit.edu (Richard Stallman) writes:
>
>> Ever since the the Clinton administration proposed the "Clipper chip",
>> they have been saying "This is just voluntary", and privacy activists
>> have been saying "They are lying".  Now the administration has proved
>> the privacy activists right, by proposing laws to *prohibit* using
>> encryption to keep secrets from the government.
>
>After reading the draft legislation, I agree it's terrible, but I
>don't see how you can say it prohibits using encryption to keep
>secrets from the government.  It sets up a government-endorsed key

The legislation enumerates a number of vague authorized accesses for the 
government to lawfully gain access to your encrypted stuff.  It also 
contains criminal penalties if the government encounters crytography
and requires you to prove you used the voluntary key escrow system as 
essentially your only defense.  Of course this defense has the result that
you give the government access to your stuff.  I am not aware that the 
government can force you to give up your keys upon demand currently so this
would be a radical change in the status quo.  Note that this includes storage 
on your hard drive, not just your communications.

Assuming that key escrow is a good idea from a business standpoint, who 
would volunteer to set up a system without the indemnity guaranteed by the
by the bill?  You'd still have to provide the keys 

  (2)  to a law enforcement or national security government agency
       upon receipt of written authorization in a form to be specified by
       the Attorney General

You just wouldn't have the protections against liability given to the 
certified agencies.

Isaac

From: Al Petrofsky <alba...@wco.com>
Subject: Re: Clinton Administration trying to prohibit real encryption
Date: 1997/03/31
Message-ID: <87pvwgpihv.fsf@albatros.wco.com>#1/1
X-Deja-AN: 229600267
Sender: a...@albatros.wco.com
References: <199703292325.SAA07521@psilocin.gnu.ai.mit.edu>
X-Server-Date: 31 Mar 1997 08:34:37 GMT
Organization: The Vegetable Liberation Front
Newsgroups: gnu.misc.discuss


user@yellow.submarine.pla () writes:

> 
> In article <87u3luo...@albatros.wco.com>, Al Petrofsky wrote:
> >r...@gnu.ai.mit.edu (Richard Stallman) writes:
> >
> >> Ever since the the Clinton administration proposed the "Clipper chip",
> >> they have been saying "This is just voluntary", and privacy activists
> >> have been saying "They are lying".  Now the administration has proved
> >> the privacy activists right, by proposing laws to *prohibit* using
> >> encryption to keep secrets from the government.
> >
> >After reading the draft legislation, I agree it's terrible, but I
> >don't see how you can say it prohibits using encryption to keep
> >secrets from the government.  It sets up a government-endorsed key
> 
> The legislation enumerates a number of vague authorized accesses for the 
> government to lawfully gain access to your encrypted stuff.  

It allows the government to gain access to your private keys ***IF YOU
WERE STUPID ENOUGH TO GIVE YOUR PRIVATE KEYS TO AN ESCROW AGENT***.
This has no effect on intelligent encryption users.  There is no good
reason for anyone to ever give his private key to anyone.  A
legitimate Certificate Authority deals only in public keys, never
asking anyone for his private key, and therefore never even being in a
position to give away a private key to the government.  The draft
legislation does not prohibit the operation of such Certificate
Authorities.

> Assuming that key escrow is a good idea from a business standpoint, who 
> would volunteer to set up a system without the indemnity guaranteed by the
> by the bill?  You'd still have to provide the keys 
> 
>   (2)  to a law enforcement or national security government agency
>        upon receipt of written authorization in a form to be specified by
>        the Attorney General
> 
> You just wouldn't have the protections against liability given to the 
> certified agencies.

Key escrow is a bad idea from every standpoint except that of J. Edgar
Hoover wannabes.  The section you're quoting (302(A)) applies to "Key
Recovery Agents", not to Certificate Authorities.  Again, a reputable
Certificate Authority does not even have anyones private keys anyway.
From a business standpoint, I think such a CA would attract a lot more
customers than one which asked for private keys and gave them to the
government on demand.

> 
> Isaac

-al

From: r...@gnu.ai.mit.edu (Richard Stallman)
Subject: Clinton encryption proposal, take two
Date: 1997/04/03
Message-ID: < 199704030529.AAA03474@psilocin.gnu.ai.mit.edu>#1/1
X-Deja-AN: 230315697
Sender: gnu-misc-dis...@prep.ai.mit.edu
x-gateway: relay5.UU.NET from gnu-misc-discuss to gnu.misc.discuss; 
Thu, 3 Apr 1997 00:27:45 EST
Newsgroups: gnu.misc.discuss


It looks like I was mistaken about the nature of the administration's
latest key escrow proposal.  I saw the words "seeks to impose..." in
the VTW announcement, and took that as a clear statement that this was
a mandatory scheme, not another voluntary one.

Then Alabaster Petrofsky looked at the text of the law, and says that
it does not make key escrow mandatory.  So it looks like I
misunderstood the situation.  I am sorry for any confusion that I
caused, and I'm grateful for the correct information.

The law seems to be obnoxious for other reasons, so I hope people will
go ahead and follow the VTW's recommendations.  And we still need free
software for public key encryption, to replace non-free programs such
as PGP and ssh.